EPS (justeps) wrote,

Configuring XChat to support SSL access to freenode

freenode now supports SSL access since their recent migration to ircd-seven.

However, XChat won't work "out of the box" unless you allow "Accept invalid SSL certificate"—which defeats one of the key advantages of using SSL in the first place.

freenode's IRC Servers documentation has a section titled "Accessing freenode Via SSL," but it doesn't tell you which certificates you really need. That's partially answered on the FAQ page, which has a link to GandiStandardSSLCA. But they don't tell you this is actually an intermediate certificate that depends on two other Comodo certificates:

  • UTNAddTrustServerCA a/k/a UTN_USERFirst_Hardware_Root_CA
  • AddTrustExternalCARoot a/k/a AddTrust_External_Root

So you may need to install up to three trusted certificates before SSL will work properly.

One "gotcha"—if you have certificate files that look like binary data, they're probably in DER format. XChat uses OpenSSL, which wants to see PEM (base64) format instead. Fortunately, it's easy to convert formats:

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem

(You shouldn't need to specify -outform PEM since that's supposed to be the default.)

If you drop a certificate into /etc/ssl/certs/, you need to symlink its hash value as well:

openssl x509 -in GandiStandardSSLCA.pem -noout -hash

This will print eight hex digits. Append .0 to that and use the result as the link name:

ln -s GandiStandardSSLCA.pem 3a57595e.0


  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded